[isalist] Re: Network Load Balancing And Network Hardware Recomendations
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 18 Jan 2007 13:42:29 -0600
That's right. If the firewall service is unavailable or disabled, then that
node is automatically removed from the NLB array.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Dave May
Sent: Thursday, January 18, 2007 12:57 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Network Load Balancing And Network Hardware
Recomendations
Haven't ever tried it with ISA, this was based off of my experience in
using it for a recent speech recognition project. Are there any plans to
support multicast in the future? With properly configured switches,
technologically speaking it seems to be the best way to go...
Not sure what you mean about "lack of service awareness" though. For
example in a web server NLB farm, if the World Wide Web Publishing Service
failed the server will still receive load balanced TCP port 80 packets, causing
intermittent outages for clients accessing the site. Does ISA perform some
trickery in this regard?
Dave.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Thursday, January 18, 2007 1:23 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Network Load Balancing And Network Hardware
Recomendations
The problem with multicast and ISA is that ISA EE doesn't support
multicast in its integrated support for NLB. Only unicast is supported with ISA
EE. I definitely don't recommend using multicast with ISA EE, because of the
lack of service awareness.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Dave May
Sent: Thursday, January 18, 2007 12:12 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Network Load Balancing And Network
Hardware Recomendations
FYI, the key to making multicast work well is to a) enable IGMP
multicast in NLB b) either enable IGMP snooping on your switch(es) or set a
static entry. Note that if your switches do not allow a unicast IP to ARP to a
multicast MAC (if I remember correctly) it isn't going to work right and the
traffic will flood across all ports. That last part caused me a major
headache, which was only resolved with a great deal of traffic sniffing via
WireShark. Turned out to be a bug in the switch firmware...
YMMV,
Dave.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Thursday, January 18, 2007 9:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Network Load Balancing And Network
Hardware Recomendations
Hmmm... I had no problem with ISA-integrated NLB with two VIPs
(OWA) running connected to a layer 3 switch (Cisco 6509). The SMTP Gateways
(ISA on top of IIS SMTP) in the same network segment and connected to the same
layer 3 switch also utilized ISA-integrated NLB and handled around 200K
messages a day just fine. But, we had front-end and back-end NICs on these
boxes with both sides connected to separate VLANs.
Interestingly enough, we had more problems with the setup when
NLB was configured for Multicast (each port sees two MAC addresses -
physical/virtual) and the MAC addresses were hardcoded into the network fabric.
Cordially yours,
Jerry G. Young II
Product Engineer - Senior
Platform Engineering, Enterprise Hosting
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK
INFRA ASST MGR
Sent: Thursday, January 18, 2007 7:19 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Network Load Balancing And Network
Hardware Recomendations
NLB doesn't work fine with Layer 3 switches and that is known
since a bunch of years ago.
The only thing you need is a plain layer 2 switch and your ISAs
connected to it, if you don't want to spend a lot of money, go for the Netgear
GS605 which is a $30 gigabit layer 2 switch.
Now, of course most (if not all of them) layer 3 switches are
managed switches so you can play with them and forward the traffic to all the
ports on it.
But again, if budget is a concern then go for the Netgear I
have some and work great.
Regards
Diego R. Pietruszka
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William Holmes
Sent: Wednesday, January 17, 2007 7:12 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Network Load Balancing And Network
Hardware Recomendations
Hello,
The switch that I am currently using is an HP ProCurve Switch
Model 2824. The issue that I have had previously was one of the switch shutting
down the ports due to the NLB Mac Address "jumping around" between different
ports on the switch. That problem occurred on a CISCO switch (don't remember
the exact model gbb something or other). If I understand things correctly (Note
that I did say IF) there are switch configuration issues that have to be
addressed. KB 193602 (posted incorrect number last time sorry) mentions one of
them which is issue with port flooding and suppressing this with VLANs.
My past experience using Switches with NLB on Windows NT and
Windows 2000 was a train wreck. The path of least resistance was a dumb hub
between the nodes and the switch that gave the switch a consistent view of the
NLB cluster. That is why I am currently using Unicast With a Hub as KB193602
indicates.
If I understand correctly I should be able to Mask the NLB Mac
Address and after doing so connect directly to a switch as a side effect of
this any request to the NLB cluster will be sent to all ports of the switch
(port flood). Thus traffic will be sent to any and all machines on the switch
unless you define VLANS.
As another option could use another L2 switch that only deals
with my NLB and have a single uplink just like my current hub has thus gaining
gigabit full duplex connections or would the port flooding also affect the
upstream switch. It doesn't seem like it should. The upstream switch would see
something answering on the NLB switch's port.
Will something like a Netgear GS105 work in this instance for
testing purposes?
It's the Switch getting to smart for MY own good that I worry
about which is why I am asking these questions.
Thanks
Bill
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Wednesday, January 17, 2007 4:07 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Network Load Balancing And Network
Hardware Recomendations
"HP Procurve" - what?
That's a product line, not a switch model.
Also, you don't need to use a hub; a L2 switch generally works
just fine.
The problem is when the switch tries to be too smart about L3
and ends up being too smart for its own good.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William Holmes
Sent: Wednesday, January 17, 2007 11:55 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Network Load Balancing And Network Hardware
Recomendations
Hello,
This is possible a little off topic.
We currently use Windows Network Load Balancing for our
Exchange and ISA servers. Right now to avoid problems with our network switches
I have a hub between the NLB hosts and our Network Switches. This connection is
therefore limited to 100MB ½ duplex connections.
I have new hardware coming in that I need to use NLB on and I
would like to have an optimal configuration. I have taken a look at Microsoft
KB 192602 and am looking for further recommendations. Our network switches are
HP Procurve.
Thanks
Bill
All mail to and from this domain is GFI-scanned.
Other related posts:
